Re: accessing guest wireless networks

Reply: Andrew Gould : "Re: accessing guest wireless networks"
In reply to: Andrew Gould : "accessing guest wireless networks"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Bob Proulx <bob_at_proulx.com>
Date: Fri, 28 Oct 2022 17:22:16 UTC

Andrew Gould wrote:
> I have wpa_supplicant.conf configured to successfully access two different
> home networks;  but I can’t seem to figure out how to access guest networks
> (is this the right term?) at places like Starbucks.
>
> network={
>    ssid=“Starbucks WiFi”
          ^              ^
          !              !
>    bssid=any
>    key_mgmt=NONE
>    scan_ssid=1
>    priority=4
> }
>
> What else do I need?

Those quotation marks are UTF-8 and not ASCII.  Change those to the
traditional ASCII double quotes.

I have only exactly this following in my wpa_supplicant.conf file and
this works for me.

    network={
       ssid="Starbucks WiFi"
       key_mgmt=NONE
    }

Note that with the Starbucks captured portal one must open a web page
in a compatible browser, allow it to be attacked with a MITM attack,
land on the Starbucks authentication page, and click through their
agreement.  I am using Firefox and Firefox automatically recognizes
many captured portals and will emit a dialog line with a button just
above the page body content.  Clicking that Firefox dialog button
works for me.

This captured portal access can be problematic if using a local DNSSEC
validating nameserver such as unbound because captured portals like
Starbucks are MITM attacks for which DNSSEC is designed to stop.

Also DNS over HTTP DoH being enabled in the browser may prevent the
captured portal from the MITM attack needed to open the portal.

Before attempting to authenticate with the captured portal disable DoH
in the web browser and stop any local caching nameserver.  Inspect
/etc/resolv.conf to ensure that the Starbucks captured portal DHCP
assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 or
any of the other similar ones.  Since you must to allow yourself to be
DNS attacked in order to gain access through the router you need to
use the DHCP provided nameservers.  Attempting to go to any URL name
the DNS will resolve to a captured portal router which will issue an
http redirect causing the browser to visit the portal page.  That's
the MITM that must be allowed to gain access.

Then after completing the captured portal handshake and getting on the
network don't forget to return to a normal network configuration.
Start up unbound if using unbound.  Enable DoH in the web browser
again if using DoH.

Background reference.

    https://en.wikipedia.org/wiki/Captive_portal

Bob